dc9ebb8796280aa68eb5c53fa203cbae9ceae250a85381ba7284971e124d8784

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 13:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

InstallSoftware_s2000_v8.2.exe
Size

108.6MB
MD5

55d4a99896f1441c9ca96e478b3291f4
SHA1

7c98bd08a0c095c0d49380461a7c5dd48c16392f
SHA256

dc9ebb8796280aa68eb5c53fa203cbae9ceae250a85381ba7284971e124d8784
SHA512

4485a81c9e2b05a7553f078a53bfae805e1f22ea6ba83d3f2090119676262f8b5a228241ee09464fa350623a3be903f444be1f7edae8a37fe76e5f25b8224758
SSDEEP

3145728:AteFPNPnJEO0ZSz/ckIKd/DwAVXHoMxm1LArJvKKb:AebD0ZSTckIQ/DwMZx5rJyKb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	set_up_wizard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	set_up.exe

Executes dropped EXE 4 IoCs

pid	Process
4048	InstallSoftware_s2000_v8.2.exe
4628	set_up.exe
2144	set_up_wizard.exe
5080	helper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3	helper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4	helper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6	helper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7	helper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	helper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5	helper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	helper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	helper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	helper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	helper.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2144	set_up_wizard.exe
2144	set_up_wizard.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	set_up_wizard.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4628	set_up.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 4048	2252	InstallSoftware_s2000_v8.2.exe	88
PID 2252 wrote to memory of 4048	2252	InstallSoftware_s2000_v8.2.exe	88
PID 2252 wrote to memory of 4048	2252	InstallSoftware_s2000_v8.2.exe	88
PID 4048 wrote to memory of 4628	4048	InstallSoftware_s2000_v8.2.exe	98
PID 4048 wrote to memory of 4628	4048	InstallSoftware_s2000_v8.2.exe	98
PID 4048 wrote to memory of 4628	4048	InstallSoftware_s2000_v8.2.exe	98
PID 4628 wrote to memory of 2144	4628	set_up.exe	99
PID 4628 wrote to memory of 2144	4628	set_up.exe	99
PID 2144 wrote to memory of 5080	2144	set_up_wizard.exe	101
PID 2144 wrote to memory of 5080	2144	set_up_wizard.exe	101
PID 2144 wrote to memory of 5080	2144	set_up_wizard.exe	101

C:\Users\Admin\AppData\Local\Temp\InstallSoftware_s2000_v8.2.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSoftware_s2000_v8.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\e5782bd\InstallSoftware_s2000_v8.2.exe
  run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\InstallSoftware_s2000_v8.2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\set_up.exe
    .\set_up.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\wizard\net4\set_up_wizard.exe
      "C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\wizard\net4\set_up_wizard.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\helper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\helper.exe" -t "helperinput.xml"
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\drivers\setup.txt

Filesize
907B

MD5
49d51dd0009a9679afcefa51d5414974

SHA1
9c6e8dd62605670ae60282bfa214b018926cc61e

SHA256
37e85ca01a3e067fd625f8bebc223a71b7705d4c608e82b30d4fd42ce42845fa

SHA512
9ea29ddca1a7e6cee6afb7ad451be7efbb8cb4efe277e708ea10902588c0c3487162a0fa8306416c2acfe940cb534b0702fbe6e7fdd34d2ac3d2166975cf1bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\helper.exe

Filesize
1.8MB

MD5
9a33c7c197b8574a86356ad4cd2e0f68

SHA1
2b9e476594881ab9c3f56b916d96507695215313

SHA256
0de06f8d32bca656bf3d65817fb290ea158d38f69ee53e63265ca8cdc38cdf91

SHA512
6c772c5b0e610eb7975b9e08ea199d8ffd376ce7b3cc3c6977ba2789c06983bebba98480d5c6eabc1d2de37dee720fc8d0d4add193726be616cab28492d26f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\helper.exe

Filesize
1.8MB

MD5
9a33c7c197b8574a86356ad4cd2e0f68

SHA1
2b9e476594881ab9c3f56b916d96507695215313

SHA256
0de06f8d32bca656bf3d65817fb290ea158d38f69ee53e63265ca8cdc38cdf91

SHA512
6c772c5b0e610eb7975b9e08ea199d8ffd376ce7b3cc3c6977ba2789c06983bebba98480d5c6eabc1d2de37dee720fc8d0d4add193726be616cab28492d26f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\set_up.exe

Filesize
2.2MB

MD5
3790d5ee78e894f8dcb318a22c722c89

SHA1
5d9973a4ee7e5703674c41b3945eee453778978d

SHA256
fa121c9647d7b8891b114a49ec8fc52b11ea50cf13728508c6b96ece8fa97215

SHA512
d0d108d0d8d83615fafe53af04d92c94c9505986ba91ed86ba7f1db68480b763f3d5c6f3a288b2f65b7f9a6ec542c5d823b6090915f34af82669a2a3e9dce8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\set_up.exe

Filesize
2.2MB

MD5
3790d5ee78e894f8dcb318a22c722c89

SHA1
5d9973a4ee7e5703674c41b3945eee453778978d

SHA256
fa121c9647d7b8891b114a49ec8fc52b11ea50cf13728508c6b96ece8fa97215

SHA512
d0d108d0d8d83615fafe53af04d92c94c9505986ba91ed86ba7f1db68480b763f3d5c6f3a288b2f65b7f9a6ec542c5d823b6090915f34af82669a2a3e9dce8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.txt

Filesize
907B

MD5
49d51dd0009a9679afcefa51d5414974

SHA1
9c6e8dd62605670ae60282bfa214b018926cc61e

SHA256
37e85ca01a3e067fd625f8bebc223a71b7705d4c608e82b30d4fd42ce42845fa

SHA512
9ea29ddca1a7e6cee6afb7ad451be7efbb8cb4efe277e708ea10902588c0c3487162a0fa8306416c2acfe940cb534b0702fbe6e7fdd34d2ac3d2166975cf1bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\wizard\data\background_main.png

Filesize
68KB

MD5
1523c7d0adc5b65810647b6aafb1bcac

SHA1
1679c606dae08c8642465c0b8bf88cdf2e80fd7e

SHA256
a2dc70e3ceb3a9df388f87302307e720f0e52053ceba0e55606cc3affbd3e086

SHA512
feb939e53a8f903f50b319b7ac649aa261d59d3fcae50dfcd3eed749eba0a7013473f8466987c5db2119b3c24fead5ae2c81aaa237a9ed43391b1663af8d72a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\wizard\data\setupwizard.ico

Filesize
288KB

MD5
972ae3738d1fde286be9b7c4587a64fb

SHA1
cd26af31e14ca704742ce9cf034889a39c16ad63

SHA256
ae6b43f0f3ab6399176b1e7283ed7c44a44c0f3ed8f364c4fdea454c90952103

SHA512
9f803e1806b25ad1181c2434f714c7c1b5af05dfef77e214db6eb24d65de563cf0fb25af8dc0b5f2deaaecaa3f0fe97e8d00a237af348e4c1bc8b66f643a02b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\wizard\data\setupwizard.xml

Filesize
1KB

MD5
12b6adbcdea255ca24015342254c9725

SHA1
9b43e0f7c47a91a585cba92358fb32ca54aa76b6

SHA256
16ffa378b321b07d35e94c375203bf16e5ff8ddd65547176fd9cf68d66d44b8f

SHA512
00576e54cb081f29c188389852121671a716f900b4cf353d1fd75e120ee0ead9208d35d8583a07292d05803e244f8e02dcaef44cb23448fd8c1af178592ded0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\wizard\net4\set_up_wizard.exe

Filesize
1.2MB

MD5
b2e9c1606855fd2415cd0b499a035311

SHA1
72aa616f921c704733ad23bdfbadbd2a09ca2a8e

SHA256
f4cd8ef685c04fdb1b1e8ecf52752c669349918d3589fb1893418814d2138c9b

SHA512
6b15da15100308706f6b829d236cd90ccc748d4d280ae3b824eda4d0aac43de11fd27caba6dede4d711de608a344dac9c9f41fed306889d3cd92734a669d27cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\wizard\net4\set_up_wizard.exe

Filesize
1.2MB

MD5
b2e9c1606855fd2415cd0b499a035311

SHA1
72aa616f921c704733ad23bdfbadbd2a09ca2a8e

SHA256
f4cd8ef685c04fdb1b1e8ecf52752c669349918d3589fb1893418814d2138c9b

SHA512
6b15da15100308706f6b829d236cd90ccc748d4d280ae3b824eda4d0aac43de11fd27caba6dede4d711de608a344dac9c9f41fed306889d3cd92734a669d27cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\wizard\net4\set_up_wizard.exe.config

Filesize
175B

MD5
2bab367bdd158ffdb2692ceb8f9192d9

SHA1
c2508cde051c4c479ebdee5363b51dcac1c99fe3

SHA256
e2bb14dfde14692aa253a032e8fd243b8fba936b1ab72114706ed4817b99cfb9

SHA512
51eb805e67a1442fc70f55c32589d44b6125afca8664024968ee87bd16abc203f5d2eea72df40a4ac443ed6f5ef71de6b94ed387e5c85dc899f9dadb31648c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\wizard\net4\set_up_wizard.exe.config

Filesize
175B

MD5
2bab367bdd158ffdb2692ceb8f9192d9

SHA1
c2508cde051c4c479ebdee5363b51dcac1c99fe3

SHA256
e2bb14dfde14692aa253a032e8fd243b8fba936b1ab72114706ed4817b99cfb9

SHA512
51eb805e67a1442fc70f55c32589d44b6125afca8664024968ee87bd16abc203f5d2eea72df40a4ac443ed6f5ef71de6b94ed387e5c85dc899f9dadb31648c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5782bd\InstallSoftware_s2000_v8.2.exe

Filesize
108.6MB

MD5
55d4a99896f1441c9ca96e478b3291f4

SHA1
7c98bd08a0c095c0d49380461a7c5dd48c16392f

SHA256
dc9ebb8796280aa68eb5c53fa203cbae9ceae250a85381ba7284971e124d8784

SHA512
4485a81c9e2b05a7553f078a53bfae805e1f22ea6ba83d3f2090119676262f8b5a228241ee09464fa350623a3be903f444be1f7edae8a37fe76e5f25b8224758

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5782bd\InstallSoftware_s2000_v8.2.exe

Filesize
108.6MB

MD5
55d4a99896f1441c9ca96e478b3291f4

SHA1
7c98bd08a0c095c0d49380461a7c5dd48c16392f

SHA256
dc9ebb8796280aa68eb5c53fa203cbae9ceae250a85381ba7284971e124d8784

SHA512
4485a81c9e2b05a7553f078a53bfae805e1f22ea6ba83d3f2090119676262f8b5a228241ee09464fa350623a3be903f444be1f7edae8a37fe76e5f25b8224758

Download Submit
C:\Users\Admin\AppData\Local\Temp\helperinput.xml

Filesize
306B

MD5
4e11e601cbbf774e34cc364687c5ad72

SHA1
f67b4e838a43d13d3ff326196c4ed579cfea93ac

SHA256
90867626b7e306183aa8c30bb80f1177187e75e97da45af3f039420f342c1d9c

SHA512
d524667f6665cabb904f3b294843eb3552e2d995260172d26aa69c6fe2dc5fe38a6f2023475aff6f7c3d0c1bd3808435c7ca09a0bb8a5bff284e36a87d5c2960

Download Submit
C:\Users\Admin\AppData\Local\Temp\helperinput.xml

Filesize
306B

MD5
4e11e601cbbf774e34cc364687c5ad72

SHA1
f67b4e838a43d13d3ff326196c4ed579cfea93ac

SHA256
90867626b7e306183aa8c30bb80f1177187e75e97da45af3f039420f342c1d9c

SHA512
d524667f6665cabb904f3b294843eb3552e2d995260172d26aa69c6fe2dc5fe38a6f2023475aff6f7c3d0c1bd3808435c7ca09a0bb8a5bff284e36a87d5c2960

Download Submit
C:\Users\Admin\AppData\Roaming\kds_kodak\setupwizard\setupwizard\log.20231003134926225632\134927helperresults.xml

Filesize
2KB

MD5
366b89224dc40fe52aa8d9f4710b7b7f

SHA1
4d76744011ddb7a3bf973f7b7fde7eda2badd2e2

SHA256
43717c2e3efcd57aba0d23960b71b14c4463e38698a214344841a5e5aa614e56

SHA512
00235d08ba302cf50a919019a4230d858ab684b31b75e5a45fcfbf06b054cce6ce62ce195b01b55dd27e5a163b7ee2e5bee0cdd9bbbd96cba0e215e7e07e6d48

Download Submit
C:\Users\Admin\AppData\Roaming\kds_kodak\setupwizard\setupwizard\log.20231003134926225632\134927helperresults.xml

Filesize
2KB

MD5
366b89224dc40fe52aa8d9f4710b7b7f

SHA1
4d76744011ddb7a3bf973f7b7fde7eda2badd2e2

SHA256
43717c2e3efcd57aba0d23960b71b14c4463e38698a214344841a5e5aa614e56

SHA512
00235d08ba302cf50a919019a4230d858ab684b31b75e5a45fcfbf06b054cce6ce62ce195b01b55dd27e5a163b7ee2e5bee0cdd9bbbd96cba0e215e7e07e6d48

Download Submit
memory/2144-426-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/2144-349-0x00007FFE37EB0000-0x00007FFE38971000-memory.dmp

Filesize
10.8MB

Download
memory/2144-348-0x0000000000B20000-0x0000000000C5E000-memory.dmp

Filesize
1.2MB

Download
memory/2144-350-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/2144-359-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/2144-427-0x00007FFE37EB0000-0x00007FFE38971000-memory.dmp

Filesize
10.8MB

Download
memory/2144-428-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/2144-429-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/2144-430-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/5080-423-0x0000000001140000-0x0000000001143000-memory.dmp

Filesize
12KB

Download
memory/5080-424-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download